{
	"id": "4374710d-bc16-4274-af40-979bdd0a1d51",
	"created_at": "2026-04-06T00:20:13.949178Z",
	"updated_at": "2026-04-10T03:24:07.559891Z",
	"deleted_at": null,
	"sha1_hash": "a8fb80bdc2f14c37ec69e108d3c479883f449b54",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43474,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:45:26 UTC\r\n APT group: Tortilla\r\nNames Tortilla (TG Soft)\r\nCountry [Unknown]\r\nMotivation Financial gain\r\nFirst seen 2021\r\nDescription\r\n(Talos) Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk\r\nransomware predominantly affecting users in the U.S. with smaller number of infections in\r\nU.K., Germany, Ukraine, Finland, Brazil, Honduras and Thailand.\r\nThe actor of the campaign is sometimes referred to as Tortilla, based on the payload file names\r\nused in the campaign. This is a new actor operating since July 2021. Prior to this ransomware,\r\nTortilla has been experimenting with other payloads, such as the PowerShell-based netcat\r\nclone Powercat, which is known to provide attackers with unauthorized access to Windows\r\nmachines.\r\nWe assess with moderate confidence that the initial infection vector is exploitation of\r\nProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China\r\nChopper web shell.\r\nObserved Countries: Brazil, Finland, Germany, Honduras, Thailand, UK, Ukraine, USA.\r\nTools used Babuk Locker, China Chopper.\r\nInformation \u003chttps://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html\u003e\r\nLast change to this card: 04 November 2021\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=25af3745-49fb-4e81-b341-6e7395349970\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=25af3745-49fb-4e81-b341-6e7395349970\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=25af3745-49fb-4e81-b341-6e7395349970"
	],
	"report_names": [
		"showcard.cgi?u=25af3745-49fb-4e81-b341-6e7395349970"
	],
	"threat_actors": [
		{
			"id": "8bd26575-9221-47d1-9d8b-5c18354dc1bd",
			"created_at": "2022-10-25T16:07:24.335Z",
			"updated_at": "2026-04-10T02:00:04.94173Z",
			"deleted_at": null,
			"main_name": "Tortilla",
			"aliases": [],
			"source_name": "ETDA:Tortilla",
			"tools": [
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"CHINACHOPPER",
				"China Chopper",
				"SinoChopper",
				"Vasa Locker"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434813,
	"ts_updated_at": 1775791447,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8fb80bdc2f14c37ec69e108d3c479883f449b54.pdf",
		"text": "https://archive.orkl.eu/a8fb80bdc2f14c37ec69e108d3c479883f449b54.txt",
		"img": "https://archive.orkl.eu/a8fb80bdc2f14c37ec69e108d3c479883f449b54.jpg"
	}
}